The second generation Schengen Information System (SIS II) will replace the current system, providing enhanced functionalities. It is currently undergoing extensive testing in close cooperation with European Union (EU) countries and associated countries participating in the Schengen area.

The SIS II Regulation lays down the technical aspects and the operation of SIS II, the conditions for issuing alerts on refusal of entry or stay for non-EU nationals, the processing of data relating to alerts, and conditions of data access and protection. It constitutes the legislative basis for governing SIS II with respect to matters falling under Title IV of the Treaty establishing the European Community (former first pillar).

ACT

Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second-generation Schengen Information System (SIS II).

SUMMARY

The second generation Schengen Information System (SIS II) will be a large-scale information system containing alerts * on persons and objects. It will be used by border guards, customs officers, visa- and law-enforcement authorities throughout the Schengen area, with a view to ensuring a high level of security. This new system is currently undergoing extensive testing in close cooperation with European Union (EU) countries and associated countries participating in the Schengen area (referred to below as the Member States *) and will replace the current system, providing enhanced functionalities.

The SIS II Regulation constitutes the necessary legislative basis for governing SIS II with respect to alert procedures falling under Title IV of the Treaty establishing the European Community (former first pillar). It is supplemented by a decision relating to procedures falling under Title VI of the Treaty on European Union (former third pillar).

Technical architecture and ways of operating SIS II

SIS II will be composed of:

a central system ("Central SIS II");

a national system (the "N.SIS II") in each Member State (the national data systems that will communicate with the Central SIS II);

a communication infrastructure between the central system and the national systems providing an encrypted virtual network dedicated to SIS II data and the exchange of data between the authorities responsible for the exchange of all supplementary information * (SIRENE Bureaux).

SIS II data will be entered, updated, deleted and searched via the various national systems. The central system, which will perform technical supervision and administration functions, is located in Strasbourg (France). It will provide the necessary services for the entry and processing of SIS II data. A backup central system, capable of ensuring all functionalities of the principal central system in the event of failure of this system, is located near Salzburg (Austria). Each Member State will be responsible for setting up, operating and maintaining its own national system and for connecting it to the central system. It designates an authority, the national SIS II office (N.SIS II office), which has central responsibility for its national SIS II project. This authority will be responsible for the smooth operation and security of its national system.

Each Member State designates its SIRENE Bureau. Supplementary information relating to SIS II alerts will be exchanged in accordance with the provisions of the “SIRENE Manual” and by using the communication infrastructure. Member States will keep a reference to the decisions giving rise to an alert at the SIRENE Bureau.

Member States will be liable for any damage caused to a person through the use of the national SIS II systems. They will also ensure that any potential misuse of data entered in SIS II or any exchange of supplementary information contrary to this regulation will be subject to effective, proportionate and dissuasive penalties.

Operational management of the Central SIS II will consist of all the necessary tasks for keeping it running 24 hours a day, 7 days a week, in accordance with this regulation.

After a transitional period, a management authority, funded from the general budget of the EU, shall be responsible for the operational management of the Central SIS II and for a number of tasks relating to the communication infrastructure (supervision, security and coordination of relations between Member States and the provider). The Commission will be responsible for all other tasks relating to the communication infrastructure.

During a transitional period before the management authority takes up its responsibilities, the Commission shall be responsible for the operational management of Central SIS II. In accordance with the Financial Regulation applicable to the general budget of the European Communities, the Commission may delegate the operational management and tasks relating to implementation of the budget to national public-sector bodies in two different countries that meet the specific criteria outlined in Article 15, paragraph 4 of the SIS II Regulation.

The regulation contains provisions to ensure adequate protection of personal data. In cooperation with the national supervisory authorities and the European Data Protection Supervisor, the Commission will accompany the start of the operation of SIS II with an information campaign informing the public about the objectives, the data stored, the authorities having access and the rights of individuals.

Alerts issued in respect of non-EU nationals for the purpose of refusing entry and stay

SIS II will only contain those categories of data supplied by each of the Member States, which are necessary for alerts for refusing entry or stay. Once the system is operational and alerts are included in it, the SIS II will only be possible to store the following information on persons for whom an alert has been issued: surname(s) and forename(s), name(s) at birth, aliases, specific physical characteristics, place and date of birth, sex, photographs, fingerprints, nationality(ies), whether the person concerned is armed, violent or has escaped, reason for the alert, authority issuing the alert, a reference to the decision giving rise to the alert and link(s) to other alerts issued in SIS II. It will also include the action to be taken in the event that there is a “hit” (i.e. if a competent national authority finds an alert in SIS II concerning a non-EU national on whom they have carried out a check). Should a Member State be unable to perform the requested action after obtaining a hit in SIS II, it will immediately inform the Member State that issued the alert.

Photographs and fingerprints will be used to confirm the identity of a non-EU national who has been located as a result of an alphanumeric search made in SIS II. As soon as this becomes technically possible, fingerprints may also be used to allow identification of a non-EU national on the basis of his/her biometric identifier. Before this functionality is implemented in SIS II, the Commission will present a report on the availability and readiness of the required technology.

Data on non-EU nationals, for whom an alert has been issued for refusing entry or stay, will be entered on the basis of a national alert based on a decision by the competent courts and administrative authorities taken on the basis of an individual assessment. An alert will be entered where the decision is based on a threat to public policy, to public security or to national security, which the presence of the non-EU national in question in the territory of a Member State may pose. It will also be possible to enter an alert when the decision is based on the fact that the non-EU national has been subject to a measure involving expulsion.

Access to and processing of data in SIS II

Authorities responsible for border control and other police and customs checks within the Member State concerned will have a right to access alerts. By extension, it will also be possible for national judicial authorities to access the system for the performance of their tasks. In any case, users will only be able to access data that is required for the performance of their tasks.

Before issuing an alert, Member States will determine whether the case is relevant enough to warrant the entry of the alert in SIS II. These alerts will only be kept for the time required to achieve the purposes for which they were entered. A Member State issuing an alert shall review the need to keep it within three years of its entry in SIS II.

It will only be possible to copy data for technical purposes. Such copies, which lead to off-line databases, may be retained for no more than 48 hours. It will not be possible to use data for administrative purposes.

A Member State issuing an alert will be responsible for ensuring that the data are accurate, up-to-date and lawfully entered in SIS II. Only the Member State issuing an alert will be authorised to modify, add to, correct, update or delete data that it has entered. If a Member State other than that issuing an alert obtains evidence suggesting that an item of data is incorrect, it will inform the Member State that issued the alert as soon as possible. The Member State that issued the alert will check the communication and, if necessary, correct or delete the item in question without delay. If the Member States are unable to reach an agreement within two months, the Member State that did not issue the alert will submit the matter to the European Data Protection Supervisor who will act as a mediator, jointly with the national supervisory authorities concerned.

It will be possible for a Member State to create a link between alerts it enters in SIS II, but this should only be done when there is a clear operational need.

Data processed in SIS II will not be transferred or made available to non-EU countries or to international organisations.

Data protection

Processing of sensitive categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership and data concerning health or sex life) will be prohibited.

Any person will have the right to request access to data relating to him/her (personal data *) that has been entered in SIS II, and to have factually inaccurate personal data corrected or unlawfully stored personal data deleted.

Information may not be communicated to the data subject if this is indispensable for the performance of a task in connection with an alert or for the protection of the rights and freedoms of third parties. Regarding the exercise of their rights of correction and deletion, individuals will be informed about the follow-up as soon as possible, and in any event no later than three months from the date of their application for correction or deletion.

It will be possible for any person to bring an action before the competent courts or authorities to access, correct, delete, or obtain information or compensation in connection with an alert relating to him/her.

The European Data Protection Supervisor will check that the personal data-processing activities of the management authority are carried out in accordance with this regulation. S/he will also ensure that an audit of the personal data-processing activities is carried out at least every four years. A report of this audit will be sent to the European Parliament, the Council, the management authority, the Commission and the national supervisory authorities.

The national supervisory authorities and the European Data Protection Supervisor cooperate actively. They exchange relevant information, assist one another and meet at least twice a year.

Final provisions

The regulation will apply to the Member States participating in the current Schengen Information System (SIS 1+) from the date to be set by the Council (acting by unanimity of its members representing the governments of the Member States participating in SIS 1+) once all necessary technical preparations for SIS II have been completed at central and Member State level and once all implementing measures have been adopted. Precise information on this matter is given in Article 55 of the regulation and in the legal instruments governing migration from SIS 1+ to SIS II.

Three years after the SIS II is brought into operation, and then every four years, the Commission will produce an overall evaluation of the Central SIS II and the bilateral and multilateral exchanges of supplementary information between Member States. It will transmit the evaluation to the European Parliament and the Council.

Key terms used in the act

Alert: a set of data entered in SIS II allowing the competent authorities to identify a person with a view to taking specific action.

Member States: EU countries and associated countries participating in the Schengen area. The United Kingdom and Ireland are not participating in aspects of SIS II falling under this regulation.

Supplementary information: information not stored in SIS II, but connected to SIS II alerts, which is to be exchanged, in order to allow Member States to consult or inform each other in the following cases: when entering an alert, following a hit in order to allow the appropriate action to be taken, when the required action cannot be taken, when dealing with the quality of SIS II data, when dealing with the compatibility and priority of alerts, when dealing with the right of access.

Additional data: data stored in SIS II and connected with SIS II alerts, which are to be made immediately available to the competent authorities of a Member State where a person in relation to whom data has been entered in SIS II is located as a result of searches made there.

Personal data: any information relating to an identified or identifiable natural person.

Processing of personal data: any operation or set of operations, which is performed upon personal data, whether or not by automatic means, such as: collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Commission Decision 2010/261/EU of 4 May 2010 on the Security Plan for Central SIS II and the Communication Infrastructure [Official Journal L 112 of 5.5.2010].
This decision provides for the organisation of the security of the Central SIS II and its communication infrastructure, and establishes a security plan for both. The purpose is to ensure protection against any threats to their availability, integrity and confidentiality. The Commission is responsible for implementing and monitoring the security measures for the communication infrastructure and, during the transitional period, for the Central SIS II. Once the management authority becomes operational, it must adopt its own security plan for the Central SIS II.

For monitoring the implementation of the security measures, the Commission designates a System Security Officer. A Local Security Officer is designated for the Central SIS II and for the communication infrastructure. They are responsible for implementing and monitoring the security measures and procedures in the principal CS-SIS, including the backup CS-SIS, and in the communication infrastructure respectively.

The System Security Officer, in cooperation with the Local Security Officers, prepares a security policy that provides detailed measures and procedures for protecting the Central SIS II and the communication infrastructure. Among others, the policy provides measures for controlling:

access to data processing facilities;

removable media containing data and any other important assets;

storage of data;

passwords;

access to SIS II hardware and software;

communications through the communication infrastructure.

It also lays down security measures in relation to human resources, defining for example the functions and responsibilities of staff that have access to the Central SIS II.

Commission Decision 2008/333/EC of 4 March 2008 adopting the SIRENE Manual and other implementing measures for the second generation Schengen Information System (SIS II) [Official Journal L 123 of 08.05.2008].
The alerts in SIS II will contain a set of data that is absolutely necessary for identification of a person or object sought. In cases where the future end-users (officers from the competent national authorities) need to take action after obtaining a matching alert, they will require supplementary information on this alert (information that will not be contained in SIS II, but that will be connected to SIS II alerts).

National offices known as SIRENE Bureaux (Supplementary Information Request at the National Entries) have been set up in all Schengen countries to assist with obtaining supplementary information for SIS by acting as the contact points between a Member State creating an alert and one achieving the match. The same offices will be used for SIS II.

The SIRENE Manual is a set of instructions indicating both the general and specific procedures that competent authorities will have to follow for exchanging supplementary information on the following categories of alerts:

alerts for refusal of entry or stay (first pillar);

alerts for arrest for surrender or extradition purposes (this and the following categories fall under the third pillar);

alerts on missing persons;

alerts sought for a judicial procedure;

alerts for discreet and specific checks;

alerts on objects for seizure or use as evidence.

The purpose will be to assure communication among Member States, in particular when entering an alert, acting on an alert, handling multiple alerts, and dealing with the quality of SIS II data or with rights of access.

The implementing measures cover SIS II aspects that, due to their technical nature, level of detail and need for regular updating, are not covered exhaustively by the SIS II legal instruments.

As is the case for other instruments related to SIS II, there are two legal instruments (Commission decisions) for the SIRENE Manual and implementing measures: one for the first pillar (Annex of Decision 2008/333/JHA) and one for the third pillar (Annex of Decision 2008/334/JHA). The Annexes to both decisions are identical.